BIND Issues

Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at a large set of
problems in BIND; buffer overflows in KDE's LISA, libpng, masqmail,
FreeBSD resolver code, Windowmaker, Tiny HTTPd, and Zeroo HTTP Server;
and problems in Lib HTTPd, KDE's telnet and rlogin KIO code, Kgpg,
Squid, and UnixWare and OpenUnix's talkd.

BIND has a collection of vulnerabilities that can be used by a remote
attacker to execute arbitrary code and that can be used in a denial of
service attack against the name server. All versions of BIND earlier
than 9.2.1, 8.3.4, 8.2.7, and 4.9.11 are affected..

ISC recommends that users upgrade to version 9.2.1 or newer of BIND as
soon as possible. Users who can not upgrade to 9.2.1 can upgrade to
BIND versions 8.3.4, 8.2.7, or 4.9.11.

KDE's LISA is a LAN browsing utility package. LISA is vulnerable to
buffer overflows that can be used by an attacker to execute code with
the permissions that LISA is running under (often root). Additionally
under some conditions an attacker may be able to access a users
account using a bug in LISA.

Users should upgrade to KDE 3.0.5 , apply the appropriate patches,
disable LISA, and remove its set user id bits, or remove LISA from the
system.

Lib HTTPd, a library implementing web server capabilities, contains a
bug that can be exploited to execute arbitrary code on the server with
the permissions of the user running the application linked to the
library. A script to automate the exploitation of this bug has been
released.

Users should watch for an update to Lib HTTPd and should consider
disabling applications built with it until they have been recompiled
using a repaired library.

It has been reported that there are several buffer overflows in the
libpng library that can be exploited in a denial of service attack
against any application linked to the library and may be exploitable
to execute code.

masqmail is a mail transfer agent designed for machines without a
continuous Internet connection. masqmail has buffer overflows that
can be exploited under some circumstances to execute code with root
permissions.

A flaw in the implementation of the KIO subsystem of KDE 2.1 and
higher and KDE 3 to 3.0.4 can be exploited using a specially contrived
URL in a KIO enabled application, HTML email, or HTML page to execute
arbitrary commands on the system with the users permissions.

It is recommended that KDE 3 users upgrade to KDE 3.0.5 or apply
patches to KDE 3.0.4. KDE 2 users unable to upgrade to KDE 3 should
disable the telnet and rlogin KIO protocols.

Windowmaker, a popular X Window manager, has a buffer overflow in the
code that handles showing images. Exploiting this buffer overflow
could under some circumstances be used to execute code with the
permissions of the user running Windowmaker.

It is recommended that users upgrade to Windowmaker version 0.80.2 or
the CVS version as soon as possible.

Tiny HTTPd, a small web server, is vulnerable to a buffer overflow
that can be used to execute code on the server with the permissions of
the user running Tiny HTTPd and is also vulnerable to a bug that can
be used to view arbitrary files on the server.

The last update to the sourceforge page for Tiny HTTPd was in April
2001. Users should consider looking for a web server that is being
actively maintained.

A bug in Kgpg (a frontend to GnuPG) results in the creation of wizard
generated secret keys that have empty passphrases. An empty
passphrase in a secret key would allow any user that has access to
your key file or physical access to the computer they are stored on to
decrypt any file without the use of a key phrase.

It is possible to edit the secret keys and add a passphrase but it is
recommended that any wizard generated keys be deleted and replaced.
Users should also upgrade Kgpg to version 0.9.

A number of security problems have been repaired in the web caching
software Squid. Code that has been repaired includes code that parses
FTP directory listings into HTML pages, Gopher client code, code
dealing with the MSNT auth helper, code that deals with FTP data
connections, and code that forwards proxy authentication credentials.

The Squid team recommends that users upgrade to version 2.4.STABLE7 of
Squid.

The Zeroo HTTP server is vulnerable to a buffer overflow that can be
used by a remote attacker to execute arbitrary code with the
permissions of the user running the web server. A script to automate
the exploitation of this vulnerability has been released.